When you apply for a sensitive position in the US government, you can expect to be checked out by the FBI. Using ‘Standard Form 86’, the FBI will thoroughly investigate every aspect of your health, personal life and history. You’d think that such information would be held pretty securely. Yet in June this year, it came to light that somewhere between four and 14 million of these forms had been hacked and stolen (the suspect is another government). If even the US government cannot keep safe its most sensitive data, where does that leave the rest of us?
BT runs the world’s largest network; every month we block two million viruses and prevent five million suspicious (and 250,000 definite) attacks on our infrastructure. And we can report that the trend is up - the frequency and intensity of attacks has escalated even in the past few months.
Sophisticated, multipronged cyber strikes can do serious damage to essential public services, transport, banking infrastructure and organisations of every type. Understandably, the UK government now categorises cyber attacks as a Tier One threat alongside international terrorism . Even sporting events are targets - the security BT put in place for our London 2012 Olympic and Paralympic Games communications network withstood as many as nine million attacks a day.
In line of fire
In the UK, the number one target for cyber criminals is the public sector. According to the latest 2015 Global Threat Intelligence Report (which analysed over six billion security attacks in 2014) last year in the UK nearly 40% of malware attacks were against public sector organisations. Why? The answer is obvious: thieves want to steal the very valuable data held by government departments and agencies. So what’s to be done? In the age of mobility and cloud services, we can’t keep data and computers locked away in a secure room any more.
There are no easy solutions. Like everyone else, central government must to do more with less money. At the same time, it needs to consolidate office space and introduce more flexible, mobile ways of working as well as move its IT infrastructure and services into the cloud. The balance has to be struck between more openness, and better security.
Should there be a centralised approach? Perhaps the UK should have a central government cyber security capability? But previous experience suggests that a blanket security policy makes little sense. Government departments and agencies have different needs when it comes to business risk and therefore security. So the overall strategy from the Government Digital Service is to let departments and agencies assess their own risks and implement appropriate security measures. However, not every public sector organisation will have the skills in place to assess risk - cyber security specialists are in short supply around the world. And whilst individual security measures may differ, the need for holistic visibility, real-time analysis, prioritisation and co-ordination of security responses across government organisations remains.
One organisation which has recognised the skill gap is Staffordshire Police, which has hired a team of digital experts to help tackle cybercrime as part of a dedicated digital intelligence team. The Chief Constable said: “We have changed the way we think about investigating crime because society has changed the way that crime is committed.” ‘Changing the way we think’ is an important message for the public sector, which must move on from a culture of risk avoidance to acknowledging and manage risk professionally.
Building a better defence
It is not a time for fragmented or DIY solutions and government CIOs or CISOs don’t need to go it alone. They should call in experts in security who can help them properly guard their valuable information against attack with sophisticated and proactive protection, intelligence, monitoring and advanced, integrated ‘big data’ analysis, threat detection, response and control services. Using comprehensive managed security solutions to protect cloud services makes sense and could help to make savings that can be used to keep more staff in front line jobs.
Government can also learn from other organisations such as BT, which has surprisingly similarities with government agencies. We employ thousands of people spread around the country; we’ve had to get our costs down, introduce more flexible working and reduce our office space; and we’ve got highly valuable assets that criminals would love to get hold of, such as the live football games we carry on BT Sport, as well as our customer information. We have a lot in common and can help our government colleagues begin to build better cyber defences at the national scale needed.
Given cyber security is such a hot topic, we are dedicating a whole day to it, on 16 July 2015. From 8:30am to 2.00pm we are hosting Reform’s and KMPG’s conference on ‘Cyber security: assurance, resilience, response’. This will be followed by lunch plus a session at the BT Showcase where our team of experts will provide insight into the current threat landscape and talk about how BT protects our own global network and our customers. We’ll also demonstrate the technologies we use to maintain threat intelligence, visibility and management, and discuss how that experience can help you to manage and mitigate the cyber risk.